[38782] in Kerberos
Avoiding Pre-Auth/Auth Principal State Disclosure
daemon@ATHENA.MIT.EDU (Eric Hattemer)
Wed Jul 1 01:56:31 2020
To: "kerberos@mit.edu" <kerberos@mit.edu>
From: Eric Hattemer <ehatteme@usc.edu>
Message-ID: <e7075d39-df65-39ff-9389-432d38d0059f@usc.edu>
Date: Tue, 30 Jun 2020 22:53:44 -0700
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
If you run a client like kinit and ask for a principal with
REQUIRES_PRE_AUTH and a disabled/pw_expired/locked-out state, or request
a principal that doesn't exist, you aren't asked for a password and get
an immediate response with the status of the account. Is there a way to
avoid this behavior? People have created hacking toolkits that try
every possible username to download the list of usernames in the
database and their state.
I know pre-auth is a special case where you'd need to provide a
plausible challenge for non-existent accounts. But is there maybe a
setting to treat unknown principals as if they had pre-auth disabled,
request a password, and just send back invalid password / encryption
failed no matter what?
We were trying to implement an authentication proxy module that uses
Kerberos, and we wanted to only disclose an account was disabled if the
user typed in the correct password. But the only case we could make
work was if the account was expired (different from pw_expired).
--
Eric Hattemer
Engineer
Identity and Access Management
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
